Hi Tim, Tim Rühsen <tim.rueh...@gmx.de> skribis:
> On Samstag, 8. Juli 2017 15:32:44 CEST Ludovic Courtès wrote: >> Hello, >> >> I experienced the test failure reported at >> <https://lists.gnu.org/archive/html/bug-wget/2017-06/msg00009.html> for >> ‘testenv/Test--https.py’ and related tests with: >> >> The certificate's owner does not match hostname >> >> There’s no problem when wget is built against GnuTLS 3.5.9; the test >> failure shows up when wget is built against GnuTLS 3.5.13. >> >> After digging a bit, I found this change in GnuTLS 3.5.12 ‘NEWS’: >> >> --8<---------------cut here---------------start------------->8--- >> ** libgnutls: gnutls_x509_crt_check_hostname2() no longer matches IP >> addresses against DNS fields of certificate (CN or DNSname). The previous >> behavior was to tolerate some misconfigured servers, but that was >> non-standard and skipped any IP constraints present in higher level >> certificates. --8<---------------cut >> here---------------end--------------->8--- >> >> I think the fix is (1) to explicitly regenerate test certificates that >> use “localhost” as their ‘DNSname’ (when replying to certtool’s “Enter a >> dnsName of the subject of the certificate”), and (2) to use “localhost” >> instead of “127.0.0.1” in test URIs. >> >> Thoughts? > > Thanks again, fixed now by > > - hard-coding the server domain to 'localhost' > - replacing 127.0.0.1 by localhost in several tests > - regenerating the server cert and crl files Awesome, thanks for the quick reply! Ludo’.
